Jump to content
Tuts 4 You

Leaderboard

  1. kao

    kao

    Full Member+


    • Points

      223

    • Content Count

      2,429


  2. Teddy Rogers

    Teddy Rogers

    Administrator


    • Points

      167

    • Content Count

      9,081


  3. Kurapica

    Kurapica

    Full Member


    • Points

      129

    • Content Count

      933


  4. CodeExplorer

    CodeExplorer

    Moderator


    • Points

      127

    • Content Count

      3,125


Popular Content

Showing content with the highest reputation since 04/12/2020 in all areas

  1. awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)
    18 points
  2. Here are some of my keygen/crack GFX's / templates i've made on photoshop + WinASM studio these days : (1) https://imgur.com/vS71RaO (2) https://imgur.com/3fWUf30 (3) https://imgur.com/5YfB8Xg (4) https://imgur.com/2Bt54Ne (5) https://imgur.com/fDC4FfK (6) https://imgur.com/p4TBQ4J (7) https://imgur.com/gNOgPnR (8) https://imgur.com/vkwSQ01 Please note that PERYFERiAH team is not a warez group. It is actually a vlogging team since i was making vlogs in high school in the past. And the people of the PERYFERiAH (PRF for short) were actually my
    11 points
  3. So you want to download some releases from snd? alright let's see at snd.webscene.ir, the distribution section menu contain a link pointing at hxtps://keygens.pro/ Super, looks like there a lot of cracks over here! and the site is virus free, right? So let's pick something, i don't know, maybe 7-Data.Card.Recovery.1.1.keygen-SND hxtps://keygens.pro/crack/729775/ lol @ description on the page, didn't know reagan was from snd and born in russia Anyway we got redirected on a download page after clicking 'Download only Keygen' button, we have to fill a captcha and agree
    10 points
  4. Tango down for 109.201.133.80 (keygens.pro, serials.be, crack.ms) Meanwhile, 54.36.184.139 (crackinns.com, torrentheap.com, crackheaps.com, cracknets.net, cracksnet.net, cracknet.net, keygenit.net, keygenom.net, cracksgurus.com, keygenninja.com, serialms.com, mackeygens.com, mediagetsite.com, get.ziplink.xyz, get.ziplink.stream) are still spreading malware. Abuse sent too, but nothing followed for the moment, so here is some insight about their infra in the meantime (when all else fails, crowbar the fornicationer) Embedded mini-admin panel to administrate the fake sites, allow t
    10 points
  5. 9 points
  6. No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it. Password is: There are 3 ways to solve it: Easy way (1/10) : open file in hex editor, check the strings and find solution there. Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters. "Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that. 1) Compare original KoiVM method handlers with DiamondVM method handlers:
    8 points
  7. 20,501 downloads

    A collection of tutorials aimed particularly for newbie reverse engineers. 01. Olly + assembler + patching a basic reverseme 02. Keyfiling the reverseme + assembler 03. Basic nag removal + header problems 04. Basic + aesthetic patching 05. Comparing on changes in cond jumps, animate over/in, breakpoints 06. "The plain stupid patching method", searching for textstrings 07. Intermediate level patching, Kanal in PEiD 08. Debugging with W32Dasm, RVA, VA and offset, using LordPE as a hexeditor 09. Explaining the Visual Basic concept, introduction to SmartCheck and configurati
    8 points
  8. Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers
    7 points
  9. Necrobit To mess up the old de4dot implementation, the .Net reactor changed the P / Invoke methods, but for the unpack, you can use the SMD from Code Cracker, which will do an excellent job of this. Control Flow To break de4dot.blocks, ezriz added a number of instructions to the flow cases, which de4dot cannot process, it's easy to fix it, just repeat after me) String Encrypt Ezriz changed the resource encryption algorithm for strings, which messed up the old decryptor implementation. This problem is solved by dynamic emulation of the method, with
    7 points
  10. I just published my own write-ups on my GitHub, if anyone is interested https://github.com/Washi1337/ctf-writeups/tree/master/FlareOn/2020
    7 points
  11. Fun challenge. I went for finding just the key algorithm rather than fully devirtualizing, but the code is pretty clear. Here some sample keys: Approach: Keygen.7z
    7 points
  12. Sure, i gonna release a unpacker for net reactor 6x soon.
    7 points
  13. This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, ch
    7 points
  14. Oh I didn't try to be mean. It was just a feeling that I had while solving the challenge. I guess it was late in the night when I wrote this reply, which might made my post seem a little bit aggressive. Don't get me wrong, I really enjoyed reversing this challenge. Bruteforce challenges are just not really my cup of tea Anyway, I just pushed my full write-up with all scripts and dumps to my GitHub: https://github.com/Washi1337/ctf-writeups/tree/master/Miscellaneous/tuts4you/ClumsyVM
    6 points
  15. I am referring to threads and posts like these: If a solution is selectively provided only to the OP by PM then it defeats the whole purpose of the Crackme/Unpackme section. In such cases, the solution provider should not even be acknowledged unless they provide working steps for everyone to learn from. This forum is a learning platform and if solution providers are expected to share the methodologies that they used for the solution. Here is yet another thread where the posts from the solution providers who gave vague steps was approved: Basically another thread containin
    6 points
  16. @XenocodeRCE: I have a huge respect for you as a RE guy but now you're just being a d*ck. If you have some personal issues with mamo/localhost0/whatever he calls himself this week, please resolve them privately and don't make a huge public drama out of it. No matter how I count, it's 3 months and 2 days max. If you're gonna whine, at least get your facts right. Umm, no. The requirement from law is to react on any reported copyright infringements, not to actively run around and search for any possible issues. See DMCA 512(c). So, if admins ignored a properly re
    6 points
  17. https://mega.nz/file/xgonHADA#6-giBWOZXfODm7sLFAMzuCH9L2uQz4sL_9NNBlDkLTM - for those who don't want to fill in the stupid questionnaire with company email address, job position and what not. https://mega.nz/file/Nt4xSaoK#jRcuuuM2vS77DM9Y-KuT4UQUKiYIEl0KkKd6Cp9t7hE - code samples that TheHackersNews forgot to include. Book tries to cover very wide area of topics - from Windows to .NET to Linux, IoT, iOS, Android and shellcodes. By doing so, it fails to cover any of the topics in sufficient details. So, it's a "Jack of all trades, master of none".
    6 points
  18. https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator @GameHackerPM @BlackHat To fix delegates, controlflow, and strings here yous go ive made a tool with many comments to help you understand!
    6 points
  19. In my opinion that solution will be acceptable only if the tool used is public.
    6 points
  20. This is really the key point that probably should be the requirement for a post to be accepted. A solution should be reproducible, not a list of private tools that are used. Private tools are, as their name implies, private, and by definition that means it is everything but reproducible (unless this tool is shared with the reader of the solution). The only person benefiting from such a reply is the respondent themselves in the form of an ego boost. Not very productive if you'd ask me.
    6 points
  21. Is this a hidden feature of the protection or does the app just not work?
    6 points
  22. It might have a few weird instructions since i'm new to this Crackme-cleaned-Devirtualized2.zip Info: This is the first version of eaz that i analyze so i can't say how 2019.x is different from 2020.1 but its definitely not uncrackable Steps i took (as i should have included since the beginning): 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original
    6 points
  23. here is my production of face shields, already 200 dispatched around my town to local hospital, liberal nurses, etc...
    6 points
  24. Are you absolutely sure this is doable without bruteforce? After spending some hours on analyzing and devirtualizing, this crackme feels very much like a "guess-what-the-author-wanted-you-to-do" challenge, rather than an actual reverse engineering challenge where we have to infer the password based on the code. In the spoiler some more detailed info of why I think this is the case. EDIT:
    5 points
  25. For those interested, I have installed a new dark theme and deleted the others. Scroll to the bottom of the page to find the option to change themes... Ted.
    5 points
  26. Happy New Year 2021 For All members
    5 points
  27. Happy New Year and welcome to 2021! I hope we have a better year than 2020 and we get back to some normality... Ted.
    5 points
  28. 5 points
  29. Info: https://www.reddit.com/r/windowsxp/comments/iz46du/the_windows_xp_source_code_has_been_leaked_on/ Most of the torrent includes previous leaked data/files. But now claims to include the full source to Windows XP (looks like SP1 based on pics people have posted). If you plan to download this (42gig torrent) I'd seriously recommend a VPN.
    5 points
  30. Regexps are not particularly efficient here and simple string operations work much better. Anyways, I made a writeup on my blog (https://lifeinhex.com/deobfuscating-autoit-scripts-part-2/) and made a copy-paste below. Unfortunately, all the hyperlinks are gone and I just can't be bothered to go through each and every one of them. Also - it refers a lot to my old solution of another AutoIt crackme, so I really suggest to check that writeup as well: --------- Almost 4 years ago, I wrote a blogpost about deobfuscating a simple AutoIt obfuscator.
    5 points
  31. It's a really good question. The answer really depends. Let me give you few recent examples. Example #1: Extreme Coders names the tools and explains HOW to solve the crackme. A lot of effort is required but all the tools can be found via Google. So I have zero issues with the solution. Example #2: Prab names the tools but no explanation is given. "x86 retranslater" definitely cannot be found not on Google. "Clean control flow" tells the obvious thing but it doesn't explain HOW to do that. What's the point of such solution? The only thing reader wi
    5 points
  32. a key: i fixed de4dot for new reactor including method decryption, cflow etc... and finally devirt it. there are tutorials about fixing de4dot/devirt in this forum including this topic as well.
    5 points
  33. Steps: 1. Simple MSIL Decryptor by CodeCracker 2. Devirtualization tool i have been working on. .Net Reactor imo has a **basic** to intermediate VM. i suggest you give this a try! Tips on how to start: 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive))
    5 points
  34. What's the point of this? You ran my file under de4dot and repost it? i can recognise my file ya know, i intentionally left this out (i haven't finished local types yet but i manually set the third local to int32) + i added 9 locals when only 3 get used
    5 points
  35. Almost unpacked! I was only not able to remove the Delegates and the Control flow. What I removed is: - Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger) - Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really re
    5 points
  36. .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, s
    5 points
  37. Very simple example, just to show the idea.. static void Main(string[] args) { using (var module = ModuleDefMD.Load(args[0])) { foreach (var type in module.GetTypes()) { foreach (FieldDef field in type.Fields) { // this will change all string constant values to "kao". Make sure to fix the `if`!!! if (field.HasConstant && field.ElementType == ElementType.String) { field.Cons
    4 points
  38. View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET)
    4 points
  39. finally my new effect has arrived and it's called "Crazy Word 0.1" by x0man , although it's ripped (with a little bit of help from KesMezar) to get the gradient color squares on the aboutbox bg , you must cut from a template using Mspaint (or perhaps just use some colored/gradiented image) , save it as JPG , and then you should insert 0Ah on these codes : mov var_4,0 push 0CC0020h; color for solid background i think .. push 0Ah ;0C8h picture height (200) push 0Ah ;190h picture width (400) push
    4 points
  40. 4 points
  41. That is it. Or c:\:$i30:$bitmap inside of a shortcut file would do the job. This will cause immediate corruption in Win10 builds 1803 or later. It will cause prompts to reboot to repair the disk and then chkdsk on boot will be unable to repair. This sounds quite dangerous as it makes downloading zip or rar archives and extracting them potentially harmful if they contain such a shortcut .lnk in them. https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
    4 points
  42. I will release an update for the tool which allows the skipping of metadata writing errors!
    4 points
  43. I also have to say that i'm impressed by the result. Excellent indeed. Since there is knowledge and maybe tools, sharing the method or the tools (as @SychicBoy did for his control flow deobfuscator) would be great for the community. Personally, in solving the challenge, when dealing with this kind of obfuscators, I hook UnsafeInvokeInternal and get the result, This indeed works. In this case the challenge are simple so reversing the logic is also. However to properly reconstruct the assembly a different approach is obviously needed. About the Necrobit protection, what maybe
    4 points
  44. awesome.vmp35_cracked.exe Every other portion of VMP is removed including CRC etc check. But still it will not run until we fix Delegates. It is still left
    4 points
  45. 4 points
  46. 1,366 downloads

    I want to release a new tutorial about the popular theme Themida - WinLicense. So I see there seems to be still some open questions mostly if my older unpack script does not work anymore and the unpacked files to, etc. So this time I decided to create a little video series on how to unpack and deal with a newer protected Themida target manually where my older public script does fail. A friend of mine did protect unpackme's for this and in the tutorial you will see all steps from A-Z to get this unpackme successfully manually unpacked but this is only one example how you can do it, of course. S
    4 points
  47. Not necessary to unpack to get the key. Key: Steps :
    4 points
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
×
×
  • Create New...